Return-Path: <rusty@gandalf.ozlabs.org>
Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138])
 by lists.linuxfoundation.org (Postfix) with ESMTP id 6F103C0032
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Mon, 23 Oct 2023 02:13:26 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp1.osuosl.org (Postfix) with ESMTP id 48C728206E
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Mon, 23 Oct 2023 02:13:26 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 48C728206E
Authentication-Results: smtp1.osuosl.org;
 dkim=pass (2048-bit key) header.d=rustcorp.com.au header.i=@rustcorp.com.au
 header.a=rsa-sha256 header.s=202305 header.b=YUVF0LKl
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -1.604
X-Spam-Level: 
X-Spam-Status: No, score=-1.604 tagged_above=-999 required=5
 tests=[BAYES_05=-0.5, DATE_IN_PAST_12_24=1.049, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
 HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_DNSWL_MED=-2.3,
 SPF_HELO_PASS=-0.001, SPF_PASS=-0.001]
 autolearn=ham autolearn_force=no
Received: from smtp1.osuosl.org ([127.0.0.1])
 by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 4LmgKQu6MfYi
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Mon, 23 Oct 2023 02:13:24 +0000 (UTC)
Received: from gandalf.ozlabs.org (mail.ozlabs.org
 [IPv6:2404:9400:2221:ea00::3])
 by smtp1.osuosl.org (Postfix) with ESMTPS id B37368206A
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Mon, 23 Oct 2023 02:13:24 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org B37368206A
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rustcorp.com.au;
 s=202305; t=1698027199;
 bh=OUW8izyxzZIEaSLGB4zOo1oTQN+g9qHdzX0iT1serz0=;
 h=From:To:Subject:In-Reply-To:References:Date:From;
 b=YUVF0LKlk4UPzgiyj2HNgAZq1y6fYA9DKiGnzpa0VHuJ9lBtlubehef+gWU3U44Wj
 9lXYXhM4LdOoLpVAvp1kk1iv0gaw7vDU8r7Um/f1LLbAhbBNPeBXnWd45bZXfXI9nS
 /mIHpIrGv1fqRIgjc536hFSlJJtgZf4mTy4kIztv4k2WV1nDO1ao1E9Ra06q4OBUOY
 WSO4NL/NXTSTonYDFKte5qF2tqox3Pykkfk4mx8pFU9ITb7gbRn11DZt2VbMmiky4U
 Q5XahP+vMl0di9MvoP08comssAv8AifqkNXGGcgEoNcJ5il8HC5Gv+YSmteSsBvNIv
 tSuh7R29i+Mug==
Received: by gandalf.ozlabs.org (Postfix, from userid 1011)
 id 4SDJdC0TWPz4x5j; Mon, 23 Oct 2023 13:13:19 +1100 (AEDT)
From: Rusty Russell <rusty@rustcorp.com.au>
To: Brandon Black <freedom@reardencode.com>, Bitcoin Protocol Discussion
 <bitcoin-dev@lists.linuxfoundation.org>
In-Reply-To: <ZTKMWr5x_JjaLnIG@console>
References: <87v8b2vu4q.fsf@rustcorp.com.au> <ZTKMWr5x_JjaLnIG@console>
Date: Sun, 22 Oct 2023 14:46:33 +1030
Message-ID: <87edhnwau6.fsf@rustcorp.com.au>
MIME-Version: 1.0
Content-Type: text/plain
Subject: Re: [bitcoin-dev] Examining ScriptPubkeys in Bitcoin Script
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Oct 2023 02:13:26 -0000

Brandon Black <freedom@reardencode.com> writes:
> On 2023-10-20 (Fri) at 14:10:37 +1030, Rusty Russell via bitcoin-dev wrote:
>>         I've done an exploration of what would be required (given
>> OP_TX/OP_TXHASH or equivalent way of pushing a scriptPubkey on the
>> stack) to usefully validate Taproot outputs in Bitcoin Script.  Such
>> functionality is required for usable vaults, at least.
>
> So you're proposing this direction as an alternative to the more
> constrained OP_UNVAULT that replaces a specific leaf in the taptree in a
> specific way? I think the benefits of OP_UNVAULT are pretty big vs. a
> generic construction (e.g. ability to unvault multiple inputs sharing
> the same scriptPubkey to the same output).

I would have to write the scripts exactly (and I'm already uncomfortable
that I haven't actually tested the ones I wrote so far!) to properly
evaluate.

In general, script makes it hard to do N-input evaluation (having no
iteration).  It would be useful to attempt this though, as it might
enlighted us as to OP_TXHASH input selection: for example, we might want
to have an "all *but* one input" mode for this kind of usage.

Dealing with satsoshi amounts is possible, but really messy (that's my next
post).

>> TL;DR: if we have OP_TXHASH/OP_TX, and add OP_MULTISHA256 (or OP_CAT),
>> OP_KEYADDTWEAK and OP_LESS (or OP_CONDSWAP), and soft-fork weaken the
>> OP_SUCCESSx rule (or pop-script-from-stack), we can prove a two-leaf
>> tapscript tree in about 110 bytes of Script.  This allows useful
>> spending constraints based on a template approach.
>
> I agree that this is what is needed. I started pondering this in
> response to some discussion about the benefits of OP_CAT or OP_2SHA256
> for BitVM.

Given these examples, I think it's clear that OP_MULTISHA256 is almost
as powerful as OP_CAT, without the stack limit problems.  And OP_2SHA256
is not sufficient in general for CScriptNum generation, for example.

> Personally I'd use OP_TAGGEDCATHASH that pops a tag (empty tag can be
> special cased to plain sha256) and a number (n) of elements to hash,
> then tagged-hashes the following 'n' elements from the stack.

That's definitely a premature optimization to save two opcodes.

Cheers,
Rusty.